[00:00.000 --> 00:10.740]  Welcome everyone to my presentation discussion on how you can develop a student mindset to help propel your life into becoming a penetration tester.
[00:10.740 --> 00:24.200]  My name is John Helmes and I'm currently a penetration tester for Nordstrom headquarters based out of Seattle, Washington, as well as an adjunct professor for the City University of Seattle, based out of Seattle, Washington.
[00:24.200 --> 00:27.420]  I teach cybersecurity courses there as well.
[00:28.360 --> 00:50.060]  So, today's talk is going to discuss about how I got to that portion of my career and how I can basically use that framework and help out the masses to allow you to use this framework to apply it to yourself and help get you into a career in pen testing.
[00:50.060 --> 00:53.640]  So, with that being said, let's go ahead and get started.
[00:55.240 --> 00:58.900]  So, this is the agenda for today's talk.
[00:58.900 --> 01:01.700]  We're going to have a quick introduction about myself.
[01:01.700 --> 01:07.900]  It's going to list out just some of my background and discuss of how I got into pen testing.
[01:07.960 --> 01:13.580]  Then we're going to have a general overview of, in my own words, what pen testing really is.
[01:13.580 --> 01:19.080]  We're going to talk about how you can develop the student mindset and what that really means.
[01:19.080 --> 01:22.700]  And it's not, you know, a traditional academic student mindset.
[01:23.140 --> 01:36.140]  And then we're going to look at some roadmaps about, you know, ways of how you can get into pen testing and what type of jobs you can look at that will help carve out a path for you to get into pen testing.
[01:36.340 --> 01:43.520]  As well as some different jobs titles that may or may not have pen testing as part of that job title.
[01:43.520 --> 01:53.600]  We'll also talk about some speed bumps that you can fully expect while you're trying to get into pen testing or even cybersecurity in general and talk about how we can work around some of those speed bumps.
[01:53.600 --> 01:59.780]  We're also going to talk about some of the educational things that you might see, you know, for pen testing jobs.
[01:59.780 --> 02:06.260]  The requirements such as a bachelor's, a master's degree, some jobs even, you know, ask that you have a PhD.
[02:06.900 --> 02:15.440]  And then we're going to talk about certifications, talk about the cost for certifications and just the amount of time that you're going to need for each certification.
[02:15.440 --> 02:22.820]  So we can break it down about how much money it's going to cost per month if that's a certification that you would be interested in.
[02:22.820 --> 02:39.180]  And then we're going to talk about how, you know, once you try or once you become a pen tester, how we can maintain that student mindset and how we can maintain the motivation to keep learning and to keep teaching, right?
[02:39.180 --> 02:44.040]  Because as cybersecurity professionals, our job is to help others, right?
[02:44.040 --> 02:51.580]  And in pen testing, it's a very small community and we really rely on each other to help each other learn and to grow.
[02:51.580 --> 03:00.980]  And then to finish up the talk today, we're going to talk about just some issues that we're seeing in the cybersecurity field in the COVID era.
[03:00.980 --> 03:12.220]  And what I mean by that is we're going to look at some of the speed bumps of what I see happening in the world as it pertains to getting into pen testing.
[03:12.220 --> 03:17.840]  So we're going to talk about how you can kind of maneuver around some of those COVID issues.
[03:17.840 --> 03:26.440]  To start off, let's talk about myself. My name is John Helmes. As I said, I'm a penetration tester for Nordstrom headquarters based out of Seattle, Washington.
[03:26.440 --> 03:35.480]  I also am an adjunct professor. However, I didn't always used to be that. I actually started out as a naval engineer.
[03:35.680 --> 03:41.360]  I was in the US Navy for four years and I didn't do anything really tech related.
[03:41.360 --> 03:49.820]  I was a small boat guy. I worked on small boats, worked on the mechanics for them and everything and did small boats operations.
[03:50.060 --> 03:59.160]  Once I got out of the Navy, I decided that after a couple different career moves, that I was going to go into tech.
[03:59.160 --> 04:06.400]  So I decided to get a bachelor's degree in information technology. And while doing that, I got a job as a help desk specialist.
[04:06.400 --> 04:16.740]  I moved up vertically within the company that I started out as a help desk specialist for and became a firewall guy, did a lot of networking.
[04:17.380 --> 04:25.320]  And then while I was pursuing my master's degree, I wound up becoming a cybersecurity engineer for a DoD contract.
[04:25.600 --> 04:34.720]  And then from there, I became an ISSC for a bigger DoD contract and a much, much larger network.
[04:34.720 --> 04:50.220]  And then once I got the ISSC job, I actually was finishing up or had just finished my master's degree and wound up becoming a teacher at a small university based out of San Diego, where I was living at the time.
[04:50.440 --> 04:58.060]  And then from there, I was there for about eight months as the ISSC. And then I pivoted into red teaming for the DoD.
[04:58.060 --> 05:06.700]  And I did that for about eight months as well. And then from there on, I went and became a pen tester for Nordstrom. And I've been up in Seattle ever since.
[05:07.220 --> 05:18.920]  So as you can see, I didn't have, you know, a very technical background. However, during that time, which was the span over about four years, I was continuously going to school.
[05:18.920 --> 05:34.240]  I was getting one to two or three certs every year, if you averaged it out. And I just kept growing and I kept learning. And I was fortunate enough that while I was in the help desk role and getting my bachelor's degree, I was introduced to Kali Linux.
[05:34.440 --> 05:48.160]  And also learned that, you know, Kali Linux was a very popular operating system used by penetration testers, then learned what pen testing was and was just completely engaged in that topic and have been ever since.
[05:48.160 --> 05:57.920]  And we're going to talk a lot about that, about how, you know, you can use an untraditional path and just use passion towards getting towards pen testing to get into pen testing.
[05:57.920 --> 06:17.920]  Some other things that I've done as well along my journey is I've been a content writer for CompTIA. If you've taken any test questions through CertMaster for the NetworkPlus exam, or for the PenTestPlus exam, then there's a good chance that you might have had a question that I wrote.
[06:17.920 --> 06:36.760]  I also currently write content for Medium. I have my own blog that I maintain through there. I've been a technical project manager for various different projects throughout my career. I also do bug bounty when I have time. I have an account on HackerOne and BugCrowd.
[06:36.760 --> 07:03.220]  I also do my own research for AWS. I'm actually currently working with a large publisher to put out a book based around that topic towards the end of this year. And as it says down there, I'm a pending author. So as you can see, I started out in a not very technical position. However, I was fortunate enough to realize early on in my academic journey and in my tech journey that I really liked pen testing.
[07:03.220 --> 07:21.700]  And I took that and harnessed that energy to push myself forward and turn that energy into a passion. And that's what this discussion and this talk is going to be about is how we can turn that idea and that want into a passion and how to really roadmap that passion.
[07:21.700 --> 07:44.060]  But before we do that, let's go ahead and talk about exactly what pen testing is. So penetration testing, which is also known as pen testing or pen test or ethical hacking, it's an authorized simulated attack on a client organization. This organization has signed you on and says, hey, we need you to evaluate our company by actually discovering and exploiting vulnerabilities.
[07:45.160 --> 08:04.180]  So what does that really mean? Well, it's more than just hacking things, right? It's a business. It's a business approach. So I wrote this quick little analogy example, right, where pen testing is like you're trying to find something, right? And you know what you may or you may or may not know what you're trying to find, but you're trying to find something, right?
[08:04.180 --> 08:33.160]  So we'll say something is X, and that's the scope, right? And then the scope of pen testing scope is what you're allowed to ethically hack. So X can be whatever, right? And we are trying to get to X. And then we get to X, right? We finally in a pen test, let's say X was a target system, we get onto the target system. And now we find out more about that target system. Right? And this target system is X. We find out more about that target system and more about the environment that it's in.
[08:33.160 --> 09:00.820]  And we find other machines and targets and hosts and all sorts of things, right, that are associated with X. So we have Y and Z. And we start moving to Y and Z and starting finding out more about Y and Z and the environments that Y and Z are in, right? We like to think of that as like lateral movement, right? Because that's a big portion of pen testing is once you get on, once you actually get onto a machine that you've done your research, discovery, enumeration, and then you get persistent access, we find out more about X and the surrounding components of X.
[09:00.820 --> 09:28.500]  So when you get to Y and Z, that's lateral movement. And that's a key thing that I want you to remember. Because on this next slide here, it says, imagine you have to write out a comprehensive report that details every step that you made before going to X, during getting on on X, right, and X is a system, and then after. And right, we use the term web search here, because in the previous slide, it mentioned web search as an example.
[09:29.340 --> 09:56.660]  So now you have to illustrate the why and the what and the impact of everything that you did, right? You have to this and then you have to give an illustration of how to fix it, and how we can do a better job next time. And we meaning the pen testing company, which would be you and the client organization, right? So that's pen testing.
[09:56.660 --> 10:04.980]  Pen testing is a lot of research. It's a lot, a lot of discovery, and a little bit of technical capabilities.
[10:06.600 --> 10:25.140]  So this is straight from a blog of mine. It's the reality of pen testing, right? I think I always think that, you know, from the outside looking in, a lot of times, individuals might think that pen testing is this, you know, capture the flag kind of exercise when it's anything but that.
[10:25.140 --> 10:47.240]  It's really a advanced business process, in my opinion. So here it says, the reality of pen test is banging your head against a wall and looking at systems that are typically locked down fairly well. Shout out to all the big companies and small companies and medium companies out there that are locking down their systems and, you know, making pen testers jobs a nightmare at times.
[10:48.180 --> 11:10.160]  You know, that's really what it is. You're looking for issues in systems that are probably not there. However, you, as the pen tester, need to verify that. And when, you know, we think about verification, we think about quality assurance, we think about quality checks, right? We're doing a quality check for a system. That's essentially what pen testing is.
[11:10.160 --> 11:26.300]  We are highly technical quality assurance people. That's essentially what we're doing. And I'm not downplaying pen testing. Please don't let that steer you away because as we're going to see throughout this entire discussion, it's a very, very interesting field to be in.
[11:26.300 --> 11:52.000]  However, to note, penetration testing is probably 70% report writing and research and only actually 30% hands on. So, you know, if only being in a technical aspect is what, you know, engages you, then this might not be the field for you. However, you know, let's keep looking and, you know, perhaps throughout this roadmap, you'll see something that piques your interest.
[11:52.000 --> 12:21.840]  Because there's a lot of different things that you can do that involve pen testing that just isn't part of the pen testing job title. So why do we pen test, right? Well, we have this white hat, gray hat, and black hat. The white hat guy is the good guy. That's the penetration testers. Those are the guys that are out there getting paid to authorize, or I'm sorry, getting paid to hack a system with authorization and provide a report that shows the landscape of the client, right?
[12:22.000 --> 12:49.360]  That shows the threat landscape, that shows all the issues and parts that can be exploited and things like that. The gray hat, I always like to say, is the individual who is in between the white hat and the black hat. That's the guy who, you know, might hack the system and patch it and then tell you, or they might hack the system and tell you, even though they weren't authorized. You know, you see a lot of different gray hats out there.
[12:50.300 --> 13:13.420]  The best way I always like to say it is that the gray hat is the individual who would hack your system to feed their family if they needed to. You know, it's that kind of like moral conflict kind of thing. So there's a lot of different ways of how a gray hat can, you know, can hack a system and what and exactly what that entails. So, you know, please go out and research different gray hat areas.
[13:13.420 --> 13:22.060]  However, the black hat is a very definitive answer where they are the malicious cyber criminals that keep the white hat employed, so to speak.
[13:22.600 --> 13:48.940]  And then the other big reason for pen testing is because we need to pen test for compliance, right? That's why we got a pen test, because organizations have to meet a bare minimum in order to operate, right? And if they can't operate, well, then they can't generate revenue and money and stuff like that. So we have to pen test so that they can make money.
[13:52.360 --> 14:13.840]  So for those of you that get into compliance-based pen testing, a lot of times you'll hear like, hey, we just need you to do this and this and this so that we can pass our compliance checks. And that happens a lot. And there's nothing wrong with that. However, do know that just because something is compliant, it doesn't mean it's secure. It just means it's at the most secure level that it has to be to operate.
[14:13.840 --> 14:27.160]  So I'm going to move my face window here just a little bit. I'm going to move that around for the rest of the presentation just so that it doesn't take up important parts of the slides.
[14:29.020 --> 14:46.180]  So now let's look. Becoming a penetration tester, right? So these are some of the topics that we're going to talk about. We already mentioned that at the beginning a little bit. So we're going to talk about the mindset, being curious, expanding your network, and how we can just maintain our skill sets and then eventually give back.
[14:46.180 --> 15:02.400]  Because again, like I said, this is a small field. And it's almost kind of like a almost everyone knows everyone sort of kind of vibe. So it's really, really crucial that you understand that it's a community where we all like to help each other.
[15:03.880 --> 15:28.680]  So the student mindset, what does that mean? It doesn't necessarily mean you need to go into academia and constantly be getting degrees and things like that. What that means is that you need to develop a framework in your head where you're constantly eager to learn, right? And you're continuously setting goals that you want to achieve. You're setting milestones, right? You know where you want to be. So you have to make a roadmap to get there.
[15:28.680 --> 15:52.140]  So how do we do that? Well, we have to stay out of our comfort zone. And we have to understand that that's, that's what it's going to be. And that's how it's going to be. And the other thing is, is that we have to have people help us get there, right? We have to be humble to do that. And we have to find mentors that will ensure that we are doing what we need to do to get where we want to go.
[15:53.060 --> 16:19.260]  And the other big thing, and I always like to say this, is that when we're on our journeys into becoming pen testers, and when we're on our journeys to be better pen testers, don't ever try to seek validation. You know, this isn't about getting recognition for having, you know, the most certs or the most degrees or the most CVEs or the most exploits and, and things like that. It's about helping out everyone, right?
[16:19.260 --> 16:29.300]  And that's why I say, not seeking validation, but seeking education, right? You're, you're out there seeking to help and educate others while also educating yourself.
[16:29.300 --> 16:49.680]  And the biggest thing too here is this last point here where it says, leave fear in the rear view mirror. What that means is there are going to be plenty of times in your journey and in your career where you're going to be afraid of something, right? Or it's going to startle you, and it might draw you back a little bit.
[16:50.220 --> 17:03.340]  Don't do that because otherwise it's pushing you back into your comfort zone. And if you don't stay out of your comfort zone, you're not going to be able to grow. So you really have to look at fear and just move past it.
[17:04.920 --> 17:26.800]  So let me move my window a little bit. We have to be curious. Penetration testers have to be curious. They have to be eager to want to learn and understand how things work, right? You also have to be creative. That's a big, big fun portion of this, this career field, in my opinion, is that we get to be creative, right?
[17:27.360 --> 17:40.540]  We get to tinker around and look at things from a different angle, and we get to write up things that might not be so traditional. And there's just so many ways of how you can be creative in this field.
[17:41.420 --> 17:58.760]  But the other thing is too, and it falls in with the being humble and also seeking to learn and leaving fear behind, is that you have to be willing to dive into anything and be hungry to learn new things, right?
[17:58.760 --> 18:10.680]  And as it says down here, being a pen tester is about being a jack of all trades, but a master of none. And what I mean by that is that a pen tester has to, again, be a tinkerer and want to do a little bit of everything.
[18:11.100 --> 18:27.720]  However, you're not going to be a master of anything. You might have a specialty where you focus on a particular topic. However, that doesn't mean that you're going to master it because, as we have seen, technology is continuously evolving and continuously changing.
[18:27.720 --> 18:31.080]  So if you master something one day, it might change the next day.
[18:34.960 --> 18:37.500]  And let me change this slide.
[18:45.780 --> 18:57.220]  So what's the next portion? Growing your network. This is a big, big thing that I feel is not talked about a lot, right?
[18:57.540 --> 19:04.400]  This is one of the things that's going to really help push your career field forward. It's what helped push mine forward.
[19:05.760 --> 19:19.420]  I essentially got into cybersecurity because I had a couple certifications and I had a degree. However, I didn't know a lot of individuals in cybersecurity that could help me in.
[19:19.420 --> 19:31.840]  And eventually, I met someone who was an ISSO and basically hired me on to be part of their DoD contract as a cybersecurity engineer.
[19:31.840 --> 19:37.880]  So with that being said, that was a big, big help to get me into cybersecurity.
[19:39.140 --> 19:48.180]  So from there, obviously, my career pushed forward. So growing your network is a big portion. So where can you go to grow your network?
[19:48.180 --> 19:58.120]  Well, for those of you in school, there's a lot of times your professors, they may actually be engineers that are working in the field. Make sure that you network with them.
[19:58.120 --> 20:12.660]  Your fellow students, right? They may actually be already in the field. There's a lot of degree programs at night schools and adult educational schools where a lot of the individuals are already in the field.
[20:12.660 --> 20:23.580]  They're just getting a degree to help push their career forward. LinkedIn is another great resource. You can build a network on LinkedIn incredibly fast.
[20:23.580 --> 20:36.780]  And especially now, and we'll talk about it later, but during the COVID era, LinkedIn has been a godsend, so to speak, to help others get into cybersecurity or at least find some kind of position in tech.
[20:37.300 --> 20:49.940]  Twitter is another good one. Even Facebook. You never know. You may have a friend from five years ago that may be in cybersecurity now that may be able to help you find a position that you're looking for.
[20:51.820 --> 21:08.760]  Mentors and mentees. You may actually have someone that you were helping out that's already in cyber and they just look up to you, and they may be able to find someone to help push you into a position that you want to be in, that will get you into pen testing.
[21:08.760 --> 21:27.300]  And then obviously mentors. You want your mentors to be someone who is in the field, and that someone can help you get into the field. Conventions, such as the ones now, during the COVID era, all this stuff is online, and we're able to network fairly easily.
[21:27.300 --> 21:35.520]  And a lot of these conventions are all free. They're all online. It makes it pretty streamlined to network.
[21:35.520 --> 21:51.560]  And then the other big things are internships. I know with COVID, internships were canceled for a lot of companies, and it did affect a lot of people. However, when internships become a thing again, it's going to be a really great way for you to get your foot in the door somewhere.
[21:51.560 --> 22:02.920]  And then, of course, on-the-job training. Any place that is offering on-the-job training, whether it's cheap labor or if it's free, if it's going to help you get to where you want to go, then you need to take it.
[22:02.920 --> 22:16.680]  And that plays in part of being humble, is that understanding that you may not jump right into pen testing. You may have to start somewhere else. And that's okay. There's nothing wrong with that, because it's all about the journey.
[22:17.780 --> 22:36.040]  Now, we've talked about our network, so now let's talk about how we can grow some of our technical skills. Because that is, while it may not be the huge portion of pen testing, it is a big portion. And we need to make sure that we can illustrate our technical skills.
[22:36.040 --> 22:59.260]  So how do we go about that? Especially when we're the outside looking in. So I have listed here some ways of how we can test our technical skills. So try HackMe, HackTheBox, and VulnHub. These are areas where you can access vulnerable machines to test your technical skills and to actually evaluate yourself.
[22:59.260 --> 23:13.580]  As well as read write-ups on older machines that are provided on these websites that allow you to learn how other people were actually hacking the machines, and it helps you develop a methodology in your head.
[23:14.780 --> 23:35.760]  And then another good way is just reading books. Going on Amazon and buying a book every so often, or going into your local bookstore, whichever way is most comfortable for you. Just buy any book. And I can't recommend enough books. If you think it's going to provide some value to you, then read it.
[23:35.760 --> 23:59.860]  However, obviously, because we're talking about pen testing, I always recommend anything that's security or computer science related. And then another great way is to get on to bug bounty platforms such as HackerOne and BugCrowd. So these are places where you can sign up and use their platform to hack actual websites. And if you find bugs, you report these bugs to the companies.
[23:59.860 --> 24:26.200]  And that's a great way to actually learn in real time how to pen test a actual live website, and to also understand what companies are looking for. So it allows you to assess and evolve your technical skill set in a real environment, while also teaching you a little bit of the business side, because you have to submit reports to the vendors.
[24:26.200 --> 24:40.060]  And then programming. Programming is a big thing, because it teaches you that analytical skill set, which falls in line with the pen testing mindset. And there's plenty of books and free online resources that you can use for that.
[24:40.060 --> 25:04.400]  So now that we talked about how we can grow our network and our technical skill sets, right, we've learned how to work with people, and what we need to do with people. And we've learned about the technical side and how we need to grow our technical skill set. The next portion would be okay, well, I want to start looking at jobs and start, you know, putting some feelers out there and seeing if I can get an interview or something.
[25:04.400 --> 25:29.740]  However, then you might hit a roadblock or a speed bump or something, right? And they may you, you may get back from HR saying, Oh, I'm sorry, you know, we're going to be going with another candidate, or something like that. Right. And so these are some of the speed bumps that I see individuals trying to get into pen testing, and trying to hurl over. So lack of experience in security programming, or just anything that's technical, right?
[25:29.740 --> 25:42.920]  Those are going to be some of the big issues. And if you get that, then you need to backtrack a little bit, and build up your technical skills a little better using the resources that we just talked about. Lacking certifications, right?
[25:43.600 --> 26:12.900]  A lot of times we want to get the big juicy certification, and we don't realize that there's other smaller certifications that can help build up to that. And those smaller certifications will also help get us positions that will lead us into pen testing. Right? And we'll talk about that here in a couple slides. However, you know, if you're starting out, don't go after the big certifications, right? Go after the smaller ones, so that it can help build your career.
[26:13.380 --> 26:35.460]  And then lack of job openings, right? I'm from a small town in North Carolina, where there is no pen testing jobs. And there's, I don't even know if there's any cybersecurity jobs. I couldn't get a job there if I lived there. So, however, now I live in Seattle, Washington, and you know, there's more jobs than there are people.
[26:35.460 --> 26:47.620]  So, you know, you have to follow where your career is. And if that changes where you are geographically, then you know, you that might be something that you have to do.
[26:48.340 --> 27:14.480]  And then a lack of motivation. Burnout is a very real thing in the pen testing field, because we're constantly engaged, we're constantly learning, we're constantly doing a lot of things where, you know, if you're a pen tester, or a very passionate cybersecurity individual, you're probably running and gunning 12 plus hours a day. And it's really easy to get caught up in all that and not take a break and smell the roses.
[27:14.480 --> 27:41.900]  So make sure that when you develop your roadmap, and when you are looking at ways of how to get where you want to, to where you're at, and where you want to be, that you make sure that you create a realistic timeline that allows for some buffer for you to relax. Because, you know, while it is it is a fun journey, and it's really easy to get tied up into it, your body and your mind can only handle so much. So make sure that you take a break.
[27:45.160 --> 28:05.100]  So now that we understand some of the speed bumps, we understand how we can work with people to try to get into pen testing, and we've learned some different areas of where we can grow our technical experience without actually even being in the field. Let's talk about some positions that we can get before we even get into pen testing, right?
[28:05.100 --> 28:31.660]  Because if you're hiring, trying to get into pen testing, and just keep getting, you know, denied letters back, then it's time to change your mindset, and think about a different position that will eventually get you into the pen testing position that you desire. So, as I started out in a help desk, and then I went into firewall administration, right? So I went more into like networking sides of things, right? Those are positions that are going to help push you forward, right?
[28:31.660 --> 29:01.220]  And the help desk position is a great position to be in, because it helps teach you a little bit about everything, technical wise, and how, you know, a system is set up within an enterprise. It also allows you to solve technical problems with people. And a lot of those people may not be technically competent, right? So it teaches you how to solve these problems in a less technical way, which is a great skill set to have.
[29:02.200 --> 29:29.880]  So those are some positions that you can get. There's a bunch of different security specialist positions that you can get. Like I was doing vulnerability management, I've done some information assurance stuff. Those are some good positions that you can get into. There's SOC, just being a security engineer, working in the cloud, right? These are all going to be great positions that are going to be great to have on your resume if you're trying to get into pen testing.
[29:30.400 --> 29:59.860]  Another great way, too, is just to put yourself as an independent researcher working on bug bounty platforms, or, you know, doing your own research and publishing it out there on GitHub, and things like that. And then another, you know, less IT, more engineering roles, you can do software engineering, or even secure software engineering, right? Where you're actually building programs. Those are going to be some great positions that are going to help pivot you into pen test.
[30:00.620 --> 30:24.640]  So, again, these are all great positions to have before getting into pen testing. And these are going to be positions that if you can't get into pen testing, start looking at roles like this, and growing from there. And then once we actually look at pen testing, right? So we looked at all the roles that can help us lead into pen testing. So what are some pen testing roles, right? Because you don't have to go on LinkedIn or Indeed and just type in penetration tester.
[30:24.640 --> 30:50.060]  These are some other roles that you can look at that actually do a lot of the offensive security pen testing kind of qualities, right? So of course, there's the penetration tester, there's red teaming, right? You can be a red teamer, red team engineer. Those are going to be the individuals that are off going and doing offensive security operations. And then there's offensive security engineers, right?
[30:50.060 --> 31:18.720]  And a lot of time I see that position title mingle with the word penetration tester. Application security engineers, where you're actually helping secure code, and you're helping application engineers write better code and build better programs and better systems. Of course, there's ethical hacker, I still see that position pop up every so often. It's really just, you know, it's a penetration tester with just a different word, right?
[31:18.720 --> 31:41.940]  But you may see that. Exploit developer, right? That's going to be the individual who's actually going to be hacking applications and developing exploit code. And then you can be a consultant, right? You know, a lot of times smaller firms are just going to be a consultant, and you'll do penetration testing, you'll do vulnerability stuff, and anything in between, right?
[31:41.940 --> 32:10.780]  And then purple teamer, a purple teamer is someone who is going to be between the blue team and the red team, right? And so the key quality there is that they have to understand red teaming and pen testing, and typically have a background in pen testing. And so the great thing there is that, you know, this is a the purple teamer is really a good position to have after you've done pen testing for a while. However, say, you know, you might be looking to spice up your life a little bit.
[32:10.780 --> 32:34.540]  Purple teaming is a good position, or a good job title, rather, to look at. So now that we know how to network, we know the technical skills that we need to build up. And we also understand some of the job titles that we can get before we get into pen testing, and then understand some of the job titles that may have pen testing in them.
[32:34.540 --> 32:58.300]  Now we need to understand the educational requirements, and then also the certification requirements. And some of this may come off a little biased. I have a bachelor's degree and a master's degree and currently pursuing a PhD in cyber operations at the Dakota State University. So, you know, I may present a little bit of bias here.
[32:58.300 --> 33:23.700]  However, I do think that going to school for some is very good, because it's something that requires you to push yourself, right? You have assignments that have deadlines, things like that, right? So if education is something that you look at, and it's something that interests you, these are some of the degrees that you can get that are going to help put you in the right place to become a penetration tester.
[33:23.700 --> 33:39.780]  So computer science, cybersecurity, those are pretty obvious, right? Information systems, computer engineering, those are going to be some really good degrees to get if you want to go become a penetration tester, or even do any of those positions that we mentioned to help get you into pen testing.
[33:39.780 --> 34:02.680]  An MBA, especially if you want to eventually become management within, you know, cyber operations and offensive security, an MBA is a pretty good degree to have. However, I wouldn't recommend to get that, you know, straight out of the gate, right? Coding boot camps are really good. Those are really good. Those are going to help secure you a job as a software engineer, if that's something that you're interested in.
[34:02.680 --> 34:24.520]  And then even criminal justice, you know, that's a I see a lot of individuals that have criminal justice degrees, just because you understand the how rules work with culture. And that's a big part of being a pen testers, you have to understand the culture of your clients and your businesses, and how that culture plays with security and how security plays with that culture.
[34:25.040 --> 34:49.500]  So, in a lot of pen testing jobs that you see, you're going to see where it says, you know, a bachelor degree is typically required. And a master's degree is typically desired. So, and what I mean by that is a lot of teams that I've worked on over the past few years, you know, a lot of the individuals, unless you have, you know, 20 years or 15 years of experience, you know, they would love for you to have a master's degree.
[34:49.500 --> 35:09.600]  And in the terms of creating a roadmap, having a master's degree is going to make you that more competitive, right? And it's, it's just one of those things that's going to help kind of make you a unicorn a little bit. You know, and I'm not saying go off and get multiple master's degrees, but at least having one is going to help you, right?
[35:09.600 --> 35:32.180]  And then down here, I also state like, hey, if you want to stay competitive, stay in school, right? Because it's just a great way to keep yourself in that learning mindset, because you constantly have to have assignments due, and things like that. So, so now let's talk about some certifications, right? So let me move my little window here.
[35:32.180 --> 35:58.400]  And so these are some of the certifications that we see to help get you into pen testing and also maintain yourself as a penetration tester. There are some certifications that are not on here. However, I wanted to put some of the more entry level ones as well as the higher level ones that will help get you into pen testing. So I'm not going to read this list right here, because we're about to actually break them down.
[35:58.400 --> 36:22.140]  But we're going to look at like, the cost of the exam vouchers, and how much time you're going to be spending on it. And also, for those of you on the outside looking in who may or may not be in cybersecurity at all, or even have a technical background, I want to mention how hard it might be to pass that exam without any kind of industry experience.
[36:25.240 --> 36:50.580]  So the CompTIA Security Plus, right? This is a great certification that's going to help build your knowledge base of just the security basics. For those of you that go through like bachelor degrees, too, there's a lot of material in most cybersecurity bachelor degrees that follow the Security Plus. So for those of you that are in school right now for cybersecurity, you know, do two things at once.
[36:50.580 --> 37:07.740]  And while you're going to school, also take the Security Plus, right? So how much is it? It's 350 bucks for a voucher, and you're probably going to spend about $200 on extra materials. So that can be extra books, videos, test books, things like that, right?
[37:07.740 --> 37:33.180]  Takes usually about one to three months of consistent studying. So I say consistent for this, that's probably about two hours a day. And then the exam is 90 minutes long, you have anywhere from, I don't know the minimum amount of questions, but as per the site, it says 90. So that's going to be the maximum amount of questions that you have, and you have to score 750 on a grade of 100 to 90.
[37:33.180 --> 37:55.860]  So passing without industry experience. So this is for those of you looking in from the outside. It's not too challenging if you do proper studying, right? And that means you're going to be looking in your books and testing yourself every day for at least two hours for one to three months.
[37:56.460 --> 38:15.920]  So what's the next certification? The next one is the Certified Ethical Hacker, also known as the CEH. This is an exam, it's not hands-on, but it is, as it says here, 125 questions, and those 125 questions test your knowledge of hacking methodologies.
[38:15.920 --> 38:41.180]  So I've taken this and the Security+, and this exam is a lot like the Security+, only it applies hacker methodologies to it. So the cost, as you can see, the voucher is pretty expensive. $1,200 is not cheap. However, this is a good certification to have, because if you want to do compliance-based pen testing, you have to have at least CEH.
[38:42.080 --> 39:06.540]  And there's other certs that you can have too, and we'll mention that. But CEH is the bare minimum if you want to do compliance-based pen testing. So how long does it take with, you know, consistent studying? Again, that's two hours or so a day, one to three months would be expected. The exam is four hours long, and you have to have a 60 to 85% to pass. And that depends on the exam that you give you.
[39:06.540 --> 39:18.420]  So I'm not sure quite how that works. When I took this, I believe it just had a straight bar of what you had to have to pass, and I believe that was 70. However, they've changed it since then.
[39:20.800 --> 39:41.440]  It's a little challenging because it's a lot of questions. However, you can do it if you do proper studying of, you know, two to three hours a day, and then less challenging if you pay $2,000 for the EC Council PEP course, which is a course that they provide for you. I think it's like a week, and they teach you all the topics that are in the exam.
[39:42.480 --> 40:00.620]  So this is one of my favorite certifications out of the whole bunch. This is the eLearn Security Junior Penetration Tester, right? I'm not even going to mention the voucher, because you spend $500 and you get four exam vouchers, plus lab time and all the materials you need to take the exam.
[40:00.620 --> 40:25.180]  This is a great certification, especially now. It's getting a lot of tread on becoming a really well-known cert in the industry, as opposed to three years ago when I took it, nobody knew what it was. So it's a really good exam to take now. So, you know, you need about one to three months of consistent studying, and that's going to be reading the material, being in the labs and everything that they provide for you.
[40:25.180 --> 40:46.560]  And then the great thing about the exam is that it's 100% hands-on. It emulates a black box pen test, and you have to have a 70% to pass it. They give you a bunch of questions. I believe it's like 20 questions, if I remember correctly, that you have to answer by actually performing certain steps within the environment.
[40:46.560 --> 41:02.440]  Passing without industry experience, it's less challenging, even from the outside looking in, because eLearn Security really helps, you know, hold your hand through the entire process of teaching you everything that you need to know to pass that exam with the materials they provide.
[41:03.460 --> 41:20.740]  Another great exam that recently has come to light in the past year or two is the Ethical Hacker Practical Exam. So let's look at the cost. It's $550 for a voucher, and I would say you're probably going to spend $300 on materials and extra labs and stuff.
[41:21.640 --> 41:44.400]  Again, one to three months of consistent studying of the two hours a day. And the great thing about this is it's like the Junior Penetration Testing Cert from eLearn Security. This cert is a hands-on certification as well. They give you 20 questions that you have to answer based on what you can do in the environment that they provide you.
[41:44.400 --> 42:14.200]  However, it's not like a black box pen test. They provide you a scope of machines that you have to attack and provide answers to the questions that they ask you. Now, from the outside looking in, this is a little bit more challenging because they don't really have a lot of materials out there. So you have to kind of go and look on your own. So it makes it challenging in that aspect because you have to go find the materials.
[42:15.660 --> 42:44.380]  So now we went from two hands-on exams to a not hands-on exam. However, I would like to argue that this is actually a fairly challenging exam. The CompTIA Pen Test Plus is the pen testing cert provided by CompTIA. It's $359 for a voucher plus $300 for materials, videos, and some lab stuff that you're going to want to use to help practice your technical skills.
[42:47.580 --> 43:03.540]  The exam itself is 165 minutes. It's a maximum of 85 questions. And just like the Security Plus, $750 on a scale of 100 to 900. You are going to have to do about three to four months of consistent studying. I would argue two to three hours a day.
[43:05.200 --> 43:27.500]  Passing without industry experience is actually challenging. And I took this exam last year, even after being in pen testing for a while. And I took this exam and it was actually quite challenging. They provide a lot of really good scenario-based questions where you really have to go through a process of elimination to answer them based off of a scenario.
[43:27.500 --> 43:48.480]  So again, this is a really good certification to get. And it's fairly cheap, as you can see. It's $350 for the voucher, give or take, and $300 for the material. So if you wanted to quarter that out over the four months, you're going to be spending a little over $150 per month for the cert.
[43:49.600 --> 44:13.440]  The next one is the GX Certified Penetration Tester, also commonly known as the G-Pen. That's provided by SANS. The cost, as you can see, the voucher is a whopping $2,000. That's a pretty expensive voucher. Plus, the training provided by SANS is one- to two-week training. Plus, they have a NetWars exercise where you and a bunch of other individuals go and do a hacking challenge.
[44:14.140 --> 44:27.880]  However, so that's pretty expensive. As you can see, you could easily rack up $9,000 to $10,000 to do it. However, this is a really good certification. It's another one of those certifications that I believe is required for compliance-based pen testing.
[44:27.880 --> 44:50.760]  So four months of consistent studying. Again, that's based off of the two hours plus a day. The exam itself is three hours. You have 82 to 115 questions, and you have to get a 75 to at least pass. So passing without industry experience, fairly challenging, without any kind of industry experience.
[44:50.760 --> 45:17.520]  And then it says less challenging with studying and the Efficient Index. So the Efficient Index, what that means is that you're actually able to take your study materials and bring them in with you and use those as references to pass the exam. So when you're going through in the test center, because this isn't a hands-on certification, it's you go and take it in a test center, and you can take your books with you.
[45:17.520 --> 45:28.120]  So create an index of crucial points that you may or may not be well-diversed in so that you can reference those during the exam.
[45:29.480 --> 45:44.160]  So now we have the Certified Professional Penetration Tester, also known as the ECPPT. This is an eLearn security certification. The cost for it is $1,600. That's with materials, labs, and an exam voucher.
[45:44.160 --> 45:56.480]  Again, they provide everything for you. And then I would say two to four months of consistent studying. I would argue that two hours may or may not be enough, just depending.
[45:56.480 --> 46:09.420]  And then the exam itself is seven days long. It's an actual, real-life pen test where they don't give you any questions or anything. They just give you a rule of engagement that tells you what you need to do.
[46:09.580 --> 46:15.820]  And then you go and do that over seven days, and then you have seven days after that to write a report and submit it to eLearn Security.
[46:15.820 --> 46:30.600]  So this is a really good certification for those of you that are looking to get some real-life knowledge in how penetration testing works, because this really, really hits the nail on the head of how they do it. It's fantastic.
[46:31.060 --> 46:44.060]  Passing without industry experience, it's going to be challenging. However, because of how eLearn Security operates and how their certifications are, they provide you everything you need to pass the exam.
[46:44.060 --> 46:54.840]  So if this is a certification that you decide to get, the material that they give you is really going to help you strive and achieve and pass the exam.
[46:55.240 --> 47:05.440]  And then we have the big cert that I'm sure a lot of you have heard of. It's the Offensive Security Certified Professional, also commonly known as the OSCP.
[47:05.940 --> 47:22.960]  The cost for this certification is $150 for a voucher. However, on the initial purchase, when you're deciding to get the labs and the material and all that stuff, you're going to spend about $1350. You're going to get the exam voucher, the materials, and the labs. And you only get the labs for 90 days.
[47:26.420 --> 47:47.280]  I hear a lot of individuals like to get an extension on the lab so that they have the labs for six months. If you want to do that, you're looking at another $800. However, I would argue that you might not need that. There's other resources such as TryHackMe, Vulnhub, and HackTheBox that you can use.
[47:47.280 --> 48:07.280]  However, I'm not saying you don't have to do the lab extension. If you feel that that would give you a good return on your investment while going through the journey of getting OSCP, then absolutely do it. However, I would baseline that this certification is probably going to cost you about $350. I'm sorry, not $350. It's going to cost you about $1,500 altogether.
[48:07.280 --> 48:27.960]  So how long does it take to get this? On average, and again, this is the rule, not the exception that I've seen over the past few years, six months to a year. And I see individuals that get it done in less time and other individuals that it takes more time. However, the average is about six months to a year.
[48:28.960 --> 48:50.800]  And that's with consistent studying. And you can read a lot of stories of individuals out there that studied for three, four, five, six hours a day, or completely lost their weekends because they spent their whole weekend just studying for this exam. And you can use additional resources such as TryHackMe, HackTheBox, and Vulnhub, as I mentioned.
[48:50.800 --> 49:09.240]  So the exam is a 24-hour hands-on exercise where you get five machines that vary in difficulty and points, and you have to hack those. And then you have 24 hours to write a report after you've hacked however many machines you get into.
[49:09.240 --> 49:30.500]  So passing without industry experience, this is a very, very challenging exam. It's a very sought-after exam for good reason because it's so challenging. So when you're going after this exam, know that it is very challenging and you're going to hit a lot of roadblocks. You're going to hit a lot of speed bumps that you're going to have to work around.
[49:30.500 --> 49:52.080]  So those are the certifications that I recommend you look at in that order. Don't go straight after the OSCP. Look at some other certifications that are going to help build your career into pen testing. However, now that we've talked about degrees and certifications, let's talk about some of the skill sets that we need to develop as well.
[49:52.080 --> 50:17.880]  So programming. Do you have to be a programmer to be a penetration tester? Absolutely not. I am not a programmer. I can do some scripting and things like that, but I'm not a software engineer or a programmer by any means. However, it is good to know how to script and automate tools and things that you're using during a pen test. And one of the best languages to do that with is Python.
[50:17.880 --> 50:38.080]  If you're trying to think about a language to use for pen testing, Python is going to be the best one. Because it's used to write exploits, it's used to do automation, to automate tasks, things like that, and to also write quick scripts to help you, again, automate tasks. Bash, same thing. Scripting and automation.
[50:38.080 --> 50:56.300]  And then I put C and Java because you'll notice a lot of exploits out there are written in C and Java. And especially with C, you'll learn how to compile and decompile exploits. So it's good to just know the basic understanding of C and Java.
[50:57.940 --> 51:23.900]  Other things that are good to be knowledgeable in are operating systems, Windows and Linux. We need to at least understand the basics of how the file systems work and the basics of some of the commands that we're going to commonly be using, as well as networking. You need to be able to fire off ports and protocols without even having to reference anything, as well as understanding just how TCP and IP stuff works. Everything at the network layer.
[51:25.140 --> 51:39.960]  And then software, just understanding the basics, again, how you compile and decompile software. And then right now, cloud. Cloud is a great thing to understand just even the basics. And if you have security knowledge in it, it's going to make you competitive.
[51:39.960 --> 51:59.680]  And I say that because cloud pentesting, especially in pentesting, there's not a traditional cloud framework that's been published yet. There's a lot of ideas, and there's a lot of great resources out there on how to execute a cloud pentest. However, there's not a traditional framework set in stone yet.
[51:59.680 --> 52:24.200]  So if you decide to strive into cloud and focus on that area, it's going to make you a little bit competitive in that aspect. And then now we need to talk about how do we maintain this energy pushing us forward into pentesting, and then also once we're even in pentesting.
[52:24.200 --> 52:44.000]  So a big thing, again, we talked about networking. Well, what are some other ways how we can network in a less untraditional way? Join online hacking forums, Reddit, Discord, Slack. Those are really great resources to use that are going to help you meet other people.
[52:44.000 --> 53:04.660]  Create a blog and publish any of your writings, whether they be technical or non-technical. As I mentioned before, we need to continuously evaluate our technical skills using those platforms such as Hack the Box, VulnHub, things like that. You can use those and then create write-ups based off of things that you hacked on those and publish them on a blog.
[53:04.660 --> 53:22.160]  And then when you're applying somewhere, you can put your blog in your resume and have that as a reference point for the employer to look at and say, oh, this individual actually has their technical chops up to speed and they've created some really good content that shows that they're technically competent.
[53:22.160 --> 53:41.200]  And that's what's going to help give you a competitive edge is by being able to publish these technical writings. And even non-technical, you can talk about ideas and talk about frameworks and things like that. It's all about just putting your name out there and not being afraid.
[53:41.740 --> 54:04.000]  And then subscribe to any of the hacking platforms. I put some of the costs on here. VulnHub is free. However, they did just create a partnership with Offensive Security. So it's going to be awesome to see how those two companies move forward with the VulnHub platform. And then you have tryhackme.com, Hack the Box. Those are the subscriptions. And then you got Pintest Academy.
[54:04.000 --> 54:26.320]  Those are going to be some really great resources that will allow you to continuously build your technical skill set as well as even in things like VulnHub. But on Hack the Box, there's a big community on Hack the Box where individuals talk to each other and everything. So again, there's another part where you can actually network.
[54:26.320 --> 54:55.960]  And then I say here, find your niche, right? Find what you really, really like. I really like cloud and academia. I really like cloud because it's a continuously expanding technology and it's the hot topic right now. And there's a lot of areas for research, as well as I like academia a lot. I really like giving back. And I really like research. So when you work in academia, you get to continuously evaluate and renew your skill set and just your framework in your head.
[54:56.320 --> 55:13.920]  But there's some other areas, rather it be system, network, security, development. These are just a few things, but there's so many areas of offensive security and Pintesting that you can really, really dive into and go down the rabbit hole, so to speak.
[55:14.660 --> 55:36.460]  And the other big thing is to find a mentor, no matter where you're at. Even once you become a penetration tester, make sure that you have mentors, because those are going to be the individuals that are going to hold you accountable to keeping your goals, right? And find other student Pintesters. This is a good thing, especially if you're wanting to be a Pintester.
[55:36.460 --> 55:58.900]  Rather you're a student at school, or you're just a self-taught Pintester. Find other ones that are just like you and see how they are in their journey, and you can help each other out to get into Pintesting. And the other thing is to find a mentee. Find someone that you can help, right? That you can help push their career where they want to go.
[55:58.900 --> 56:21.520]  And then also there's the bug bounty platforms. Those are great to have, because those are going to give you a real world sense of how you can hack a live web application. And also help you understand the business side of things, because you're going to be producing vulnerability reports or vulnerability and Pintesting reports that go to those organizations.
[56:22.500 --> 56:47.680]  And then to finish off, I wanted to talk about the challenges that we're seeing during the pandemic era, right? Because COVID is just, it's really thrown the whole world for a loop, right? So what's something big is remote work has become very, very popular, right? So it's making things competitive. However, it's also opening things up for a lot of us, right? So make your online presence visible, right?
[56:47.680 --> 56:54.720]  Through social media, through Twitter, through LinkedIn, things like that. You can really, really use this time to shine on social media.
[56:56.780 --> 57:10.420]  Another big thing is hiring freezes. We're seeing a lot of companies just freeze all the hirings altogether. So what does that mean? That means you might not be able to go get that job with that certain company that you wanted to get to, right?
[57:11.340 --> 57:28.460]  And we've seen this a lot right now, even with like interns, we've seen a lot of internships, you know, kind of go away because hiring freezes and all that stuff. So what can you do to work around this? Well, go look at those bug bounty programs. You know, see if you can build your skill set there and make a little money while you're doing it, right?
[57:29.100 --> 57:43.140]  And if you want to try another avenue, use your network, right? Go on LinkedIn, go on Twitter, Facebook, anything where you may know someone who can help push your career where you want to go.
[57:43.140 --> 58:02.900]  And the other big thing is, too, is the great and I want to add, it's a great thing is that all these conventions that we're having right now, most of them are free, and they're all online, right? And so, you know, use that to your advantage and use that as a platform where you can get your name out there.
[58:03.420 --> 58:21.260]  And again, it all falls in line with leaving fear in the rearview mirror and being humble. So, you know, just don't be scared. Don't be scared to talk to anyone and make sure that, you know, you're attentive and you listen, and that, you know, you're eager to learn what they have to tell you.
[58:21.780 --> 58:45.420]  And then the other big thing is layoffs and furloughs. We've seen a lot of individuals lose their jobs or have their jobs put on pause. So, and this goes more towards you, is that if you've been laid off or you've been furloughed, use this time to reassess your skill set, you know, maybe set a milestone that you didn't think you're going to have to set for a while.
[58:45.420 --> 59:14.220]  But COVID has, you know, COVID has no bias. So, if it has affected you, you know, use that time to better yourself, right? And it says go through steps one and two, you know, make your presence on, you know, your online presence on social media a lot bigger. And then also, you know, use your network, expand in your network, attend conferences, and look at other avenues of ways of how you can develop your skill set.
[59:14.220 --> 59:35.100]  And another big thing too, and I didn't put it on here is, you know, if you have a certification that you wanted to get for a while, I've seen a lot of individuals getting certifications currently, use this time to spend a little money, get a certification or two, and then, you know, hit the workforce, you know, heavy when things start to go back to normal.
[59:36.860 --> 01:00:04.440]  And then to close this out, you know, in your journey, you know, you're going to start out in your journey and you're going to have a lot of motivation, you're going to have a lot of energy, and you may have some self-doubt, but your focus and your determination is drowning that out. And then you're going to have your speed bumps and you're going to fail a little bit. But don't let that motivation stop. Don't let fear and doubt creep in just because you hit a speed bump and you fail a little bit here and there, right?
[01:00:04.440 --> 01:00:28.240]  Because you only completely fail when you quit. So instead, take that time to learn what you did wrong. Take that time to learn how you can do better the next time and how you can grow. Because security is a journey. It's not a destination. So that's all I have for you guys. I appreciate everyone for coming to my talk.
[01:00:28.240 --> 01:00:43.980]  Again, my name is John Helmes. And if anyone has any questions for me, please feel free to reach out to me at my blog, or I have a pretty heavy presence on LinkedIn. So yeah, so again, thanks, everybody, and I'll see you around.
